Skip to main content

Cloudburst Network EUVDEUVD-2026-34862

| CVE-2026-45291 HIGH
Improper Input Validation (CWE-20)
2026-06-05 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 19:02 EUVD
Analysis Generated
Jun 05, 2026 - 17:50 vuln.today

DescriptionGitHub Advisory

Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to 1.0.0.CR3-20260418.124334-32 impacts publicly accessible software depending on the affected versions of Network and allows an attacker to exploit a bug in Network to close the parent netty channel, rendering it inoperable. All consumers of the library should upgrade to at least version 1.0.0.CR3-20260418.124334-32. There are no known workarounds beyond updating the library.

AnalysisAI

Denial of service in CloudburstMC Network versions prior to 1.0.0.CR3-20260418.124334-32 allows remote unauthenticated attackers to close the parent Netty channel, rendering the network layer inoperable. Any publicly accessible application depending on the affected library is exposed, and no public exploit has been identified at time of analysis. The CVSS 7.5 score reflects a high-availability impact with no confidentiality or integrity loss.

Technical ContextAI

CloudburstMC Network is a Netty-based networking library used by Cloudburst projects (commonly associated with Minecraft: Bedrock Edition server software). The library wraps Netty channels to handle RakNet/UDP-style traffic, and the parent channel is the long-lived listener that accepts and dispatches incoming connections. The flaw maps to CWE-20 (Improper Input Validation): malformed or unexpected input received over the network triggers a code path that closes the parent channel rather than a per-connection child channel. Once the parent channel is closed, the entire listener is torn down and stops accepting traffic until the host process is restarted. The affected CPE is cpe:2.3:a:cloudburstmc:network, confirming the issue is scoped to the upstream library rather than a specific downstream consumer.

RemediationAI

Vendor-released patch: 1.0.0.CR3-20260418.124334-32 - upgrade the CloudburstMC Network dependency to this version or later in all affected projects, rebuild, and redeploy. The vendor states there are no known workarounds, so patching is the only supported remedy; details and coordinates are at https://github.com/CloudburstMC/Network/security/advisories/GHSA-rh6x-g5c8-2rmf. As compensating controls until patching is feasible, restrict the listener to trusted source IPs at the firewall or place it behind a UDP-aware proxy that can drop malformed traffic, accepting the trade-off that public-facing services (e.g., open Bedrock servers) will lose reachability from the general internet; alternatively, supervise the host process for automatic restart on channel close to shorten outage windows, recognizing this only reduces downtime rather than preventing the DoS.

CVE-2024-21488 CRITICAL POC
9.8 Jan 30

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_proce

CVE-2021-35048 CRITICAL POC
9.8 Jun 25

Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interfa

CVE-2021-35049 HIGH POC
8.8 Jun 25

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2021-35047 HIGH POC
8.8 Jun 25

Vulnerability in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker

CVE-2021-35050 HIGH POC
7.5 Jun 25

User credentials stored in a recoverable format within Fidelis Network and Deception CommandPost. Rated high severity (C

CVE-2022-24394 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2022-24393 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2022-24392 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2022-24391 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables SQL injection through the web interface by an attacke

CVE-2022-24390 HIGH
8.8 May 17

Vulnerability in rconfig “remote_text_file” enables an attacker with user level access to the CLI to inject user level c

CVE-2022-24389 HIGH
8.8 May 17

Vulnerability in rconfig “cert_utils” enables an attacker with user level access to the CLI to inject root level command

CVE-2022-24388 HIGH
8.8 May 17

Vulnerability in rconfig “date” enables an attacker with user level access to the CLI to inject root level commands into

Share

EUVD-2026-34862 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy